From 4938f97c971ce1af8317fc0274b02529c9cebe76 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 13 Feb 2019 17:21:16 +1100 Subject: [PATCH] record when querytsig is valid --- lib/dns/tsig.c | 52 +++++++------------------------------------------- 1 file changed, 7 insertions(+), 45 deletions(-) diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c index bb66c5f174..5030e24e7c 100644 --- a/lib/dns/tsig.c +++ b/lib/dns/tsig.c @@ -830,6 +830,7 @@ dns_tsig_sign(dns_message_t *msg) { unsigned char header[DNS_MESSAGE_HEADERLEN]; isc_buffer_t headerbuf; uint16_t digestbits; + bool querytsig_ok = false; /* * If it is a response, we assume that the request MAC @@ -876,14 +877,8 @@ dns_tsig_sign(dns_message_t *msg) { ret = dst_context_adddata(ctx, &r); if (ret != ISC_R_SUCCESS) goto cleanup_context; + querytsig_ok = true; } -#if defined(__clang__) && \ - ( __clang_major__ < 3 || \ - (__clang_major__ == 3 && __clang_minor__ < 2) || \ - (__clang_major__ == 4 && __clang_minor__ < 2)) - /* false positive: http://llvm.org/bugs/show_bug.cgi?id=14461 */ - else memset(&querytsig, 0, sizeof(querytsig)); -#endif /* * Digest the header. @@ -929,8 +924,7 @@ dns_tsig_sign(dns_message_t *msg) { } /* Digest the timesigned and fudge */ isc_buffer_clear(&databuf); - if (tsig.error == dns_tsigerror_badtime) { - INSIST(response); + if (tsig.error == dns_tsigerror_badtime && querytsig_ok) { tsig.timesigned = querytsig.timesigned; } isc_buffer_putuint48(&databuf, tsig.timesigned); @@ -981,19 +975,8 @@ dns_tsig_sign(dns_message_t *msg) { dst_context_destroy(&ctx); digestbits = dst_key_getbits(key->key); if (digestbits != 0) { - /* - * XXXRAY: Is this correct? What is the - * expected behavior when digestbits is not an - * integral multiple of 8? It looks like bytes - * should either be (digestbits/8) or - * (digestbits+7)/8. - * - * In any case, for current algorithms, - * digestbits are an integral multiple of 8, so - * it has the same effect as (digestbits/8). - */ - unsigned int bytes = (digestbits + 1) / 8; - if (response && bytes < querytsig.siglen) + unsigned int bytes = (digestbits + 7) / 8; + if (querytsig_ok && bytes < querytsig.siglen) bytes = querytsig.siglen; if (bytes > isc_buffer_usedlength(&sigbuf)) bytes = isc_buffer_usedlength(&sigbuf); @@ -1372,18 +1355,8 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, if (dns__tsig_algvalid(alg)) { uint16_t digestbits = dst_key_getbits(key); - /* - * XXXRAY: Is this correct? What is the expected - * behavior when digestbits is not an integral multiple - * of 8? It looks like bytes should either be - * (digestbits/8) or (digestbits+7)/8. - * - * In any case, for current algorithms, digestbits are - * an integral multiple of 8, so it has the same effect - * as (digestbits/8). - */ if (tsig.siglen > 0 && digestbits != 0 && - tsig.siglen < ((digestbits + 1) / 8)) + tsig.siglen < ((digestbits + 7) / 8)) { msg->tsigstatus = dns_tsigerror_badtrunc; tsig_log(msg->tsigkey, 2, @@ -1676,19 +1649,8 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) { if (dns__tsig_algvalid(alg)) { uint16_t digestbits = dst_key_getbits(key); - /* - * XXXRAY: Is this correct? What is the - * expected behavior when digestbits is not an - * integral multiple of 8? It looks like bytes - * should either be (digestbits/8) or - * (digestbits+7)/8. - * - * In any case, for current algorithms, - * digestbits are an integral multiple of 8, so - * it has the same effect as (digestbits/8). - */ if (tsig.siglen > 0 && digestbits != 0 && - tsig.siglen < ((digestbits + 1) / 8)) + tsig.siglen < ((digestbits + 7) / 8)) { msg->tsigstatus = dns_tsigerror_badtrunc; tsig_log(msg->tsigkey, 2,